Connecticut Attorney General George Jepsen, along with eight other AGs, recently sent a letter to four leading U.S. banks and four card brands urging them to roll out EMV credit cards as chip-and-PIN, rather than chip-and-signature, which is the prevailing strategy.

"It's time for us to move forward with chip-and-signature and focus our attention on implementing additional layers of security through encryption and tokenization."

The AGs note that the massive number of data breaches, which include payment card breaches, that have occurred in the last year have put consumers at risk. By implementing chip-and-PIN, consumers will not "continue to pay the price for [banks' decisions for] settling for weaker standards," the AGs contend.

"Implementation of chip-enabled cards in the United States is imperative in order to provide stronger payment security and assurance to consumers," the letter states.

The Dusty Chip-and-PIN Debate

Clearly, the additional authentication provided by the PIN makes chip payments more secure. What's more, the argument card issuers and the card brands are using to justify not implementing PINs is weak. They contend that consumers would find the use of PINs cumbersome and inconvenient.

I believe the decision to move forward with chip-and-signature had much more to do with cost, concerns about interchange and transaction routing, and a need for speedy deployment in the market than it did about customer convenience.

Retailers are continuing to attempt to sway public opinion in favor of chip-and-PIN - arguing that is offers superior authentication to chip-and-signature and enhances security. And now nine state AGs have jumped on that bandwagon.

But it's time to accept the implementation of chip-and-signature, which is well underway, and focus on adding more layers of security through encryption and tokenization.

Chip cards, whether authenticated with signature or PIN, are far more secure than, and superior to, magnetic-stripe cards. Chip cards can't be counterfeited, and if they are lost or stolen, EMV-compliant merchants won't be liable for fraud. And PINs really only have an impact on reducing fraud in lost-and-stolen scenarios.

Besides, EMV is building a bridge for mobile payments, which don't need PINs for authentication. Mobile payment transactions are authenticated through device identification and biometrics.

Setting priorities

Several analysts I talked to about the issue this week offer a similar point of view.

For example, Al Pascual, director of fraud and security at Javelin Strategy & Research, says politicians should be more focused on efforts to support stronger data security and breach notification than they are on the PIN versus signature debate.

"The value of EMV chip cards is in their resistance to counterfeiting, which is a multibillion dollar problem in the U.S.," Pascual says. "And it is here that neither PIN nor signature really matter."

Shirley Inscoe, a financial fraud expert at consultancy Aite, argues that the focus should be on a shift to mobile payments.

"Chip-and-PIN only adds the protection against lost and stolen cards to what chip and signature provides," she says. "But lost and stolen losses are very low compared to other loss types, such as counterfeit or card-not-present. ... If these officials are truly interested in protecting consumers, they should be asking banks to prioritize mobile payments and encouraging their constituents to switch to mobile payments. Mobile payments will not provide card information to retailers or merchants, so the data cannot subsequently be breached. This would better protect all parties involved."

EMV chip payments are likely to push more consumers and retailers toward mobile, adds Avivah Litan, a payments and fraud expert at the consultancy Gartner. And the benefit of mobile payments, such as Apple Pay, is that they can be authenticated without a PIN, "because they have the password of the cellphone plus the optional biometric," she says.

Nevertheless, she acknowledges that chip-and-PIN is "definitely more secure than chip-and-signature." Litan blogged back in October about the weak argument banks had made for not implementing chip-and-PIN.

Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation, portrays chip-and-PIN as nothing more than a temporary fix.

"As someone who's been critical of the 'chip and signature' decision, I'm solidly behind the AGs' request," Will says. "But just to put that into context, I would have way preferred that the U.S. industry leapfrog EMV completely - and the massive expenditure on card and terminal upgrades that EMV forces - and just start the migration to mobile, since that's clearly where the world is going. I've been saying that since 2008. The way I see it: Yes, we should have chip-and-PIN in the U.S., but it would basically be a Band-Aid.

So rather than focus on a Band-Aid solution, it's time to accept chip-and-signature and focus on adding additional layers of security, such as encryption and tokenization, until we make the transition to mobile payments.

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.